role for the role the encrypting Lambda should run as (not necessary if
you provide --assume-role on the command line).

topic for the SNS topic to subscribe the Lambda to. If you set
topic to default then we will reuse any existing SNS topic that
specifies s3:ObjectCreated:*, or set one up if needed. If topic is
missing, then we’ll attach via a bucket notification.

Note: the set-bucket-encryption action is a much more effective way of
enabling encryption on a bucket.

Adds an encryption required bucket policy and merges with extant policy
statements. Note filters should be used to avoid hitting any buckets
that are being written to by AWS services, as these do not write
encrypted and will be blocked by this policy.